Tools / JWT Decoder

JWT Decoder & Validator.

Decode, inspect, and verify JSON Web Tokens.

About JWT Decoder & Validator

JSON Web Tokens (JWT) are a compact, URL-safe way to represent claims between two parties. They are the standard for API authentication, OAuth 2.0, and session management in modern web applications. This tool decodes any JWT and displays the header, payload, and individual claims in a readable format. You can also verify the token signature using a shared secret (HS256/HS384/HS512) or a public key (RS256/RS384/RS512). Useful for debugging authentication flows, verifying token integrity, and understanding token structure.

How to Use

  1. Paste your JWT token into the input field.
  2. Optionally enter a secret or public key to verify the signature.
  3. Click "Decode & Verify" to parse and validate the token.
  4. View the decoded header, payload, expiration status, and signature verification result.

Key Features

  • Decode JWT header and payload
  • Display all standard and custom claims
  • Show expiration and issued-at timestamps with countdown
  • Verify signatures with HMAC (HS256, HS384, HS512)
  • Verify signatures with RSA (RS256, RS384, RS512)
  • Algorithm detection and display

Common Use Cases

  • Debugging OAuth 2.0 authentication flows
  • Inspecting API access tokens
  • Verifying JWT claims and expiration
  • Validating token signatures during development
  • Learning JWT structure and standards

Frequently Asked Questions

What is a JWT token?

A JSON Web Token (JWT) is a compact token format consisting of three Base64-encoded parts: header, payload, and signature, separated by dots. It is used for securely transmitting information between parties.

Can this tool verify JWT signatures?

Yes. Enter your HMAC secret or RSA public key in the optional field and the tool will verify the token signature. Supported algorithms: HS256, HS384, HS512, RS256, RS384, RS512.

Is it safe to paste my JWT here?

Yes. The token is processed server-side within your session and is not stored or logged. However, never share production tokens or signing keys with untrusted services.

What claims are shown?

All claims in the payload are displayed, including standard claims like iss (issuer), exp (expiration), sub (subject), and any custom claims.

Related Tools

B64 Base64 Encoder/Decoder

Encode and decode Base64 strings.
{ } JSON Formatter

Pretty print, minify, and validate JSON.
# Hash Generator

Generate MD5, SHA-256, SHA-512, and other hashes.
🔒 Bcrypt & Argon2 Hash Generator

Hash and verify passwords with bcrypt or Argon2.